Closed Bug 1359914 Opened 3 years ago Closed 3 years ago

Add ssp-buffer-size compiler flag

Categories

(Core :: Security, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [sg:want])

This bug was created as a clone of Bug 620058 which contains more context.
I don't think this is necessary. My understanding is that |ssp-buffer-size| was used to control the heuristic |-fstack-protector| used to decide which stack-allocated buffers needed protection. I think with |-fstack-protector-strong| this doesn't do anything. Have I misunderstood?
Flags: needinfo?(tom)
I didn't know, but google led me to https://lwn.net/Articles/584225/ which agrees with you.

-fstack-protector protects functions with a local array of 8 bytes or more. ssp-buffer-size can be used to lower that (e.g. to 4).  

-fstack-protector-strong protects functions with any size local array, or a few other conditions.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(tom)
Resolution: --- → INVALID
I guess what we could do, though, is try and make a case for turning on fstack-protector with a tuned ssp-buffer-size on release builds, and basically tuning the buffer-size so the performance is acceptable enough to land the change....

But this amount of effort for just Linux (and even Mac) for the limited security provided might not be worth it.
You need to log in before you can comment on or make changes to this bug.